It looks like Cenzic is suing SPI Dynamics (now owned by HP) over a patent infringement. Cenzic has patented fault injection. Cenzic obviously feels confident that SPI is infringing on the technology they have patented. It’s a strange move, given how many people have vested interesting in making this patent go away. Now that Cenzic has become litigious it seems like it would be in the best interest of the industry and indeed all companies everywhere that use other scanning technology to get the patent thrown out. At first I didn’t care about this when I first read about it but now that Cenzic has taken to suing companies, I feel compelled to take action.

Personally I hope that SPI wins this and the patent is thrown out for a number of reasons. I think the patent is both obvious, has been done prior to their claims and been invented by dozens of people and companies over the years who have released their findings under various copyrights and licenses (myself included - I built a number of tools that injected specific faults into systems as early as 1995 and let’s not forget SATAN written in 1993 and stuff like the PHF scanning worms in 1996). But most importantly it’s hostile to the industry as a whole. It would only make things far more difficult, inhibit innovation and reduce our ability to secure the Internet as a whole. I have nothing against Cenzic, but this patent must die. In the mean-time, until this patent is thrown out, you are taking a risk if you have built any fault injection scanning technology that does not license Cenzic’s patent. Everyone else, please submit your prior art to the comments of this post or to SPI’s lawyers as you see fit.

This entry was posted
on Monday, August 20th, 2007 at 11:19 am and is filed under General News, Webappsec.
Responses are currently closed, but you can trackback from your own site.

In my country (NL) they would fail due to our fair trade commission. It’s Illegal to gain monopoly for one company in my country, and for good reason. This really sucks Cenzic, Let’s patent the air Cenzic is breathing, it’s basically the same: you kill something.

A while back I had a good look at this patent and certainly came to the conclusion (along with several other experts and people in law) that is just wasnt defensibe. However, it costs a lot of money to attack a patent, not to mention the potential risk of losing. In the end we decide it just wasnt worth the risk.

I’m hoping that HP does go ahead an attack the patent both to protect themselves and as a service to the community (is there any way we can get in contact with the to voice our support and possible service?) as they certainly have deep enough pockets to do so.

Funny stuff. Cenzic must be bitter for having been left out of the acquisition game. I wonder how they chose HP (http://support.openview.hp.com/SPY_Dynamics_Support.jsp) over IBM (http://www-306.ibm.com/software/rational/welcome/watchfire/).

This really smacks of desperation. They’re probably not as desperate as SCO was, but they have to know this suit is a long shot, especially given recent rulings like KSR v. Teleflex.

This must have come up in due diligence for the HP acquisition. HP must have known of this during the purchase diligence. You can’t just sue, you have to notify first, which most likely would have happened before Aug 1st.
It would seem that HP and SPI decided to disregard this as a real threat, or the deal most likely would have been called off, or delayed until outcome was certain. Hope that bodes well for the defeat of this patent.

Looks to me that both of these are very similar to each other, so at the minimum the cenzic one is probably going to be dismissed as the later filee.

It’s not unusual for big companies to simply hold patents in hand as “mutually assured destrution” in case another big company sues them. From that aspect I’d much rather have IBM or HP as the patent holder as they are more likley just to ignore the “little guy”.

It seems to me that this patent is based on network fault injection, so it is broader that the Watchfire patent. For those of us who remember, Cenzic had a product (also, confusingly, called Hailstorm) back in the 2000 timeframe that did network fault injection - this is what I think this patent is based off.

Two things:
1. Software patents, except in a very few specific cases, are bad for almost everyone, and shouldn’t exist. Maybe this is a debate for another day, but I think its clear that software patents don’t spur innovation, as I’ve never met a person who coded something he wouldn’t have if he couldn’t patent it.

2. Cenzic’s patent is actually more restrictive than most people here seem to understand. It isn’t only restricted to network fault injection, but also to a certain approach. Most other scanners are NOT in conflict with this patent because they scan based on prior knowledge of specific vulnerabilities. This patent specifically applies to an iterative process testing parameters for a class of common coding errors, using a complex grammar to do so.

Now, I’m not saying that there isn’t prior art, because my experience is that there isn’t a software patent without prior art, but there isn’t as much as many here imply. MOST security scanners, and specifically scanners that operate based on real vulnerability information do not step on this patent.